Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
0
Helpful
2
Replies

Cannot access company network from VPN client

Go to solution
DiVineUser
Level 1
Level 1

‎08-12-2022 07:54 AM

Hi there,

i know, this question has already been asked several times, but either the answers do not apply to my setup or I don't understand them... So please bear with me if I ask a question again which has already been asked before.

Specifically, I do not understand what others mean by NAT exemption. Which packets whould be NATted but shouldn't? Why are they NATted? I do not have a NAT rule specified. (Or should I have specified one on the ASA)?

But please let be begin explaining:

I have the following setup:
- Central firewall of type Sophos UTM
- several networks connected
- several IP addresses on WAN interface (one assigned for VPN)
- Cisco Firepower 1120 connected to eth1 with its "outside" interface
- between Sophos UTM and Cisco Firepower, there's a network 10.100.0.0/24 in which the UTM has the .1 and the Firepower has the .5
- On the UTM, there's a DNAT rule configured: "Forward all traffic arriving at the VPN IP address (123.123.123.124) to 10.100.0.5"
- there's no "inside" interface configured on the Firepower.
- There's a address pool configured on the Firepower ("vpnpool") with the addresses 10.242.10.0/24.
- There's a static route on the UTM configured forwarding all traffic to 10.242.10.0/24 to the Firepower (10.100.0.5)
- Threre's a masquerade rule defined on the UTM which allows for 10.100.0.0/24 to access the Internet.

I'll post the rest of the Firepower's configuration to the attached file.
(Please note that I removed some unnecessary things like user definitions and so on as they should not impact the behaviour...)

Here's what I see:
- The connection can be established without any issues
- The VPN client is assigned an IP address from the VPN address pool (e. g. 10.242.10.1)
- The VPN client is able to reach the VPN gateway (ping 10.100.0.5)
- The VPN client is not able to reach the Sophos UTM (ping 10.100.0.1)

After reading other posts here, I also created a NAT rule so that traffic from 10.242.10.0/24 to the internal network (10.10.1.0/24) should not be translated (or: be kept original). 
(Is this a NAT exempt rule? Is this what I need here? If so, why?)

How and where do I specify which packets the Firepower puts into the tunnel and which packets it just send out unencrypted?
Do I need any NAT rules here?
Do I need any static routes on the firepower? (The default route points to the Firewall which "knows" all networks...)

After adding the NAT rule, nothing changed. I have the same situation as before.
One small change i saw, though: The Firepower logged that ICMP packets from outside(10.10.1.1) to outside(10.242.10.1) have been blocked, even though I allowed ICMP everywhere.

Does anyone have an idea on what could be wrong in this scenario or how I could simplify it?

In my understanding, it would also be easier if I had an inside interface and an outside interface, but in my scenario I only have an outside interface. For me, this also complicates the situation. I would be glad if anyone could give me some advise.

Best
Tom

Labels:
Preview file
68 KB
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DiVineUser
Level 1
Level 1
In response to RachelGomez161999

‎08-16-2022 07:54 AM

Hi Rachel,

thanks for your answer. Unfortunately, none of your hints helped fix the issue.

But in the meantime, I found out what was missing: As I am using the same ASA interface both for incoming and for outgoing traffic within and outside of the tunnel, I have a so-called U-turn VPN configuration (or also hairpin VPN configuration?).

In order for this to work properly, I have to issue the command 

same-security-traffic permit intra-interface

as described here: https://community.cisco.com/t5/vpn/u-turn-nat/td-p/3020897.

After that, my VPN is working fine!

Maybe this helps someone else...

Best
DiVineUser

View solution in original post

0 Helpful
2 Replies 2

Go to solution
RachelGomez161999
Spotlight
Spotlight

‎08-15-2022 11:26 PM

Below are some tips on how to fix it.
Run a speed test. First, we recommend you run a speed test to whether the problem lies with your VPN provider or your ISP.
Switch server. 
Switch VPN tunneling protocol. 
Change your port or IP protocol. 
Configure your security software. 
Change your VPN service provider.

 

This may help you,

Rachel Gomez

0 Helpful

Go to solution
DiVineUser
Level 1
Level 1
In response to RachelGomez161999

‎08-16-2022 07:54 AM

Hi Rachel,

thanks for your answer. Unfortunately, none of your hints helped fix the issue.

But in the meantime, I found out what was missing: As I am using the same ASA interface both for incoming and for outgoing traffic within and outside of the tunnel, I have a so-called U-turn VPN configuration (or also hairpin VPN configuration?).

In order for this to work properly, I have to issue the command 

same-security-traffic permit intra-interface

as described here: https://community.cisco.com/t5/vpn/u-turn-nat/td-p/3020897.

After that, my VPN is working fine!

Maybe this helps someone else...

Best
DiVineUser

0 Helpful
Customers Also Viewed These Support Documents